From 490326919566279e6d3dbea6551c53f6a8c3276d Mon Sep 17 00:00:00 2001 From: TharmiganK Date: Mon, 8 Sep 2025 12:57:30 +0530 Subject: [PATCH 1/3] Update netty version --- gradle.properties | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/gradle.properties b/gradle.properties index c08e51c1f..30cca2630 100644 --- a/gradle.properties +++ b/gradle.properties @@ -3,7 +3,7 @@ group=io.ballerina.stdlib version=2.14.2-SNAPSHOT ballerinaLangVersion=2201.12.0 ballerinaTomlParserVersion=1.2.2 -nettyVersion=4.1.124.Final +nettyVersion=4.1.126.Final slf4jVersion=1.7.30 puppycrawlCheckstyleVersion=10.12.0 unirestVersion=1.4.9 @@ -42,7 +42,7 @@ stdlibJwtVersion=2.15.0 stdlibOAuth2Version=2.14.1 # Level 05 -stdlibHttpVersion=2.14.3 +stdlibHttpVersion=2.14.5-20250908-122700-4e25094 # Ballerinax Observer observeVersion=1.5.0 From bd86a6d47e1ab9cf978211d56f044cfd6a9bc998 Mon Sep 17 00:00:00 2001 From: TharmiganK Date: Mon, 8 Sep 2025 12:57:57 +0530 Subject: [PATCH 2/3] Update changelog --- changelog.md | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/changelog.md b/changelog.md index aecca455d..020605e4f 100644 --- a/changelog.md +++ b/changelog.md @@ -3,6 +3,12 @@ This file contains all the notable changes done to the Ballerina WebSocket packa The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [Unreleased] + +### Fixed + +- [Address `CVE-2025-58056` and `CVE-2025-58057` security vulnerabilities in Netty](https://github.com/ballerina-platform/ballerina-library/issues/8214) + ## [2.14.1] - 2025-08-21 ### Changed From 45e300f7b41e811334a805dddc3604fc4f484e63 Mon Sep 17 00:00:00 2001 From: TharmiganK Date: Mon, 8 Sep 2025 13:11:47 +0530 Subject: [PATCH 3/3] [Automated] Update the native jar versions --- ballerina/Ballerina.toml | 44 +++++++++++++++++------------------ ballerina/CompilerPlugin.toml | 2 +- ballerina/Dependencies.toml | 4 ++-- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/ballerina/Ballerina.toml b/ballerina/Ballerina.toml index 12ada3c74..d65c507ef 100644 --- a/ballerina/Ballerina.toml +++ b/ballerina/Ballerina.toml @@ -1,7 +1,7 @@ [package] org = "ballerina" name = "websocket" -version = "2.14.1" +version = "2.14.2" authors = ["Ballerina"] keywords = ["ws", "network", "bi-directional", "streaming", "service", "client"] repository = "https://github.com/ballerina-platform/module-ballerina-websocket" @@ -15,14 +15,14 @@ graalvmCompatible = true [[platform.java21.dependency]] groupId = "io.ballerina.stdlib" artifactId = "websocket-native" -version = "2.14.1" -path = "../native/build/libs/websocket-native-2.14.1.jar" +version = "2.14.2" +path = "../native/build/libs/websocket-native-2.14.2-SNAPSHOT.jar" [[platform.java21.dependency]] groupId = "io.ballerina.stdlib" artifactId = "http-native" -version = "2.14.3" -path = "./lib/http-native-2.14.3.jar" +version = "2.14.5" +path = "./lib/http-native-2.14.5-20250908-122700-4e25094.jar" [[platform.java21.dependency]] groupId = "io.ballerina.stdlib" @@ -39,51 +39,51 @@ path = "./lib/constraint-native-1.7.0.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-common" -version = "4.1.124.Final" -path = "./lib/netty-common-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-common-4.1.126.Final.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-buffer" -version = "4.1.124.Final" -path = "./lib/netty-buffer-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-buffer-4.1.126.Final.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-transport" -version = "4.1.124.Final" -path = "./lib/netty-transport-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-transport-4.1.126.Final.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-resolver" -version = "4.1.124.Final" -path = "./lib/netty-resolver-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-resolver-4.1.126.Final.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-handler" -version = "4.1.124.Final" -path = "./lib/netty-handler-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-handler-4.1.126.Final.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-codec-http" -version = "4.1.124.Final" -path = "./lib/netty-codec-http-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-codec-http-4.1.126.Final.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-codec" -version = "4.1.124.Final" -path = "./lib/netty-codec-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-codec-4.1.126.Final.jar" [[platform.java21.dependency]] groupId = "io.netty" artifactId = "netty-handler-proxy" -version = "4.1.124.Final" -path = "./lib/netty-handler-proxy-4.1.124.Final.jar" +version = "4.1.126.Final" +path = "./lib/netty-handler-proxy-4.1.126.Final.jar" [[platform.java21.dependency]] -path = "../test-utils/build/libs/websocket-test-utils-2.14.1.jar" +path = "../test-utils/build/libs/websocket-test-utils-2.14.2-SNAPSHOT.jar" scope = "testOnly" diff --git a/ballerina/CompilerPlugin.toml b/ballerina/CompilerPlugin.toml index c70ca93a0..99321a410 100644 --- a/ballerina/CompilerPlugin.toml +++ b/ballerina/CompilerPlugin.toml @@ -3,4 +3,4 @@ id = "websocket-compiler-plugin" class = "io.ballerina.stdlib.websocket.plugin.WebSocketCompilerPlugin" [[dependency]] -path = "../compiler-plugin/build/libs/websocket-compiler-plugin-2.14.1.jar" +path = "../compiler-plugin/build/libs/websocket-compiler-plugin-2.14.2-SNAPSHOT.jar" diff --git a/ballerina/Dependencies.toml b/ballerina/Dependencies.toml index 4704d23f0..115228f6d 100644 --- a/ballerina/Dependencies.toml +++ b/ballerina/Dependencies.toml @@ -76,7 +76,7 @@ dependencies = [ [[package]] org = "ballerina" name = "http" -version = "2.14.3" +version = "2.14.5" dependencies = [ {org = "ballerina", name = "auth"}, {org = "ballerina", name = "cache"}, @@ -342,7 +342,7 @@ dependencies = [ [[package]] org = "ballerina" name = "websocket" -version = "2.14.1" +version = "2.14.2" dependencies = [ {org = "ballerina", name = "auth"}, {org = "ballerina", name = "constraint"},